Choose a language:

Everything you need to know about preventing online shopping bots

Published:
Updated: 20 May 2025
green bot in shopping cart

Online shopping bots are moving from one ecommerce vertical to the next. And they're getting more sophisticated by the day. As an online retailer, you may ask, "What's the harm? Isn't a sale a sale?". But bots pose major risks to your business. Read on to discover if you have an ecommerce bot problem, learn why preventing shopping bots matters, and get 4 steps to help you block bad bots.

Last year, a top global gaming company dropped a new product. Traffic to the site soared.

428,000 visitors tried to access the waiting room for the drop, but the company only let 28,000 in.

Why?

Because 94% of the traffic came from bots, scalpers, and uninvited visitors.

Retail bot attacks like this are becoming more and more common. During the 2024 Holiday Season, 36% of all ecommerce web traffic came from bad bots, an increase of 24% YoY. 

But what are signs of a shopping bot problem? What business risks do they actually pose, if they still result in products selling out? And what steps can you take to stop retail bots? Read on to find out.

Table of contents

 

Do you have a bot problem? Get your free guide to uncover the risks of bots & discover how you can beat them
retail bots guide

What are shopping bots?

An online shopping bot, also known as an "ecommerce bot" or "grinch bot", is software that's programmed to help make online purchases by performing automated tasks like checking for re-stocks and completing checkouts. Bots often imitate a human user's behavior, but with their speed and volume advantages they unfairly find and buy products in ways human customers can't.

Online shopping bots perform different malicious tasks. An individual bot may do one or more of these. A "grinch bot", for example, usually refers to bots that purchase goods, also known as scalping. But there are other nefarious bots, too, such as bots that scrape pricing and inventory data, bots that create fake accounts, and bots that test out stolen login credentials.


RELATED:
Protect Against Bad Bots & Prevent Abuse With a Virtual Waiting Room

How do online shopping bots work?

Online shopping bots work by using software to execute automated tasks based on instructions bot makers provide.

What all shopping bots have in common is that they provide the person using the bot with an unfair advantage. If shoppers were athletes, using a shopping bot would be the equivalent of doping.

Typically, ecommerce bots gain these advantages using either speed, or volume.

  • Speed: Bots can constantly monitor websites for new products or sales, making automatic purchases the moment the product appears. In high-demand scenarios, they can add products to cart and checkout before a regular user even has a chance to login.

  • Volume: Bots can simulate thousands of users, using fake accounts, virtual computers, and fake IP addresses. On one sale we worked on, we found and blocked a single person who was trying to get 30,000+ positions in an online queue. Bots use volume to evade detection, overwhelm defenses, and buy products in bulk.

In a typical high-demand sale or product drop, scalpers are not only faster than a normal website visitor, they also outnumber them by 10 to 1. Unless the retailer has advanced bot mitigation in place, regular people don't stand much of a chance.

RELATED: Bot Mitigation: How To Detect & Stop Bad Bots

What are the different types of retail bots?

scraping shopping botScraping bots

Scraping shopping bots work by monitoring web pages to facilitate online purchases. These bots scrape pricing information, inventory availability, and similar information so they can act the moment there's an opportunity for profit.

 

footprinting shopping botFootprinting bots

Footprinting is like scraping, but involves the bot probing and scanning the website for hidden pages. For example, a footprinting bot could search for live web URLs that haven’t yet been made public.

When the manager of a U.K.-based reseller group was asked how he bought so many PlayStation 5 consoles he answered: “We knew where to go before they announced it”. That’s footprinting in action.

Footprinting is also behind examples where bad actors ordered PlayStation 5 consoles a whole day before the sale was announced. By the time the retailer closed the loophole that gave the bad actors access, people had picked up their PS5s—all before the general public even knew about the new stock.

 

account creation shopping botAccount creation bots

For bad actors to complete purchases, they often need to use an account. Bad actors can generate a list of free emails and then use an account creation bot to generate accounts in bulk, sometimes in the hundreds or thousands.   

 

account takeover shopping botCredential stuffing & cracking bots

Sometimes instead of creating new accounts from scratch, bad actors use bots to access other shopper’s accounts. Both credential stuffing and credential cracking bots attempt multiple logins with (often illegally obtained) usernames and passwords.

In a credential stuffing attack, the shopping bot will test a list of usernames and passwords, perhaps stolen and bought on the dark web, to see if they allow access to the website.

A credential cracking bot will start with one value, like an email, and then test different password combinations until the login is successful.

 

scalping shopping botScalping bots

Probably the most well-known type of ecommerce bot, scalping bots (or purchase bots) use unfair methods to get limited-availability and/or preferred goods or services.

For example, scalper bots can “sit” on the product web page, constantly refreshing to click “add to cart” the second the product becomes available. Then the scalper bot can click through the purchase journey, autofill billing and shipping information, and press “buy” in the time it takes a human visitor to enter his or her email address.

 

denial of inventory shopping botDenial of inventory bots

Ever wonder how you’ll see products listed on secondary markets like eBay before the products even go on sale? Denial of inventory bots are to blame.

Representing the sophisticated, next-generation bots, denial of inventory bots add products to online shopping carts and hold them there. They don’t buy them—at least not initially.

By holding products in the carts they deny other shoppers the chance to buy them. What often happens is that discouraged shoppers turn to resale sites and fork over double or triple the sale price to get what they couldn’t from the original seller.

Only when a shopper buys the product on the resale site will the bad actor have the bot execute the purchase.

Denial of inventory bots are especially harmful to online business’s sales because they could prevent retailers from selling all their inventory.

 

cashing out shopping botCashing out bots

Bad actors don’t have bots stop at putting products in online shopping carts. They’ll use bots to validate stolen credit card information. Cashing out bots then buy the products reserved by scalping or denial of inventory bots.

What products do ecommerce bots target?

Ecommerce bots target any product or vertical they believe they can make a profit off. This typically means products that are in high demand, with low supply. Some of the most common products targeted by bots include:

  • Sneakers: Limited-edition sneaker launches attract bots in massive volumes. Nike reports they get 12 billion illegitimate sneaker raffle entries every month.

  • Collectibles: Bots exploit the passion of collectors by snatching up limited-edition goods and selling them back to collectors at massive markups.

  • Graphics cards & gaming consoles: Anyone in the gaming world knows the problems bots caused when PlayStation 5s and graphics cards were in low supply.

  • Holiday Season deals: Every year, "Grinch" bots snatch up the hottest kids toys of the season, selling them back to parents at inflated prices.

  • Limited-edition product drops: Brand collaborations, celebrity product launches, hyped apparel—all these low supply launches attract bots in big numbers.

RELATED: How Sideshow Collectibles Runs "launches our customers can trust"

How to identify an ecommerce bot problem

It might sound obvious, but if you don’t have clear monitoring and reporting tools in place, you might not know if bots are a problem.

As bots get more sophisticated, they also become harder to distinguish from legitimate human customers.

So what should you look for? Here’s a few red flags.

 

1. Increase in login failures

A spike in login failures could signal credential stuffing and cracking bots trying to take over existing customer accounts.

 

2. Spike in account creations

Increased account creations, especially leading up to a big launch, could indicate account creation bots at work. They’ll create fake accounts which bot makers will later use to place orders for scalped product. 

 

3. Traffic from unfamiliar geographies

Seeing web traffic from locations where your customers don’t live or where you don’t ship your product? Then you may be under attack from bots. This traffic could be from overseas bot operators or from bots using proxies to mask their true IP address. 

 

4. Increase in shopping cart abandonment

An increased cart abandonment rate could signal denial of inventory bot attacks. These bots hold product so others can’t buy. When the cart time expires, they snatch the products up again. They’ll only execute the purchase once a shopper buys for a marked-up price on a secondary marketplace. This behavior will reflect in your cart abandonment rate.   

 

5. Visits to product pages that aren’t public-facing

Footprinting bots snoop around website infrastructure to find pages not available to the public. If a hidden page is receiving traffic, it’s not going to be from genuine visitors.

 

6. Increase in traffic from data center IP addresses

Genuine users rarely originate from data center IP addresses. Instead, bot makers typically host their scalper bots in data centers to obtain hundreds of IP addresses at relatively low cost. In fact, research shows 70% of bad bots come from data centers. A spike in data center traffic likely signals a bad bot problem.


RELATED: Improve Bot Protection with Data Center IP blocking

 

7. Abnormal pageviews or bounce rates

If you observe a sudden, unexpected spike in pageviews, it’s likely your site is experiencing bot traffic. If bots are targeting one high-demand product on your site, or scraping for inventory or prices, they’ll likely visit the site, collect the information, and leave the site again. This behavior should be reflected as an abnormally high bounce rate on the page.

 

Google analytics traffic spike

How to prevent bots

As you’ve seen, bots come in all shapes and sizes, and reselling is a very lucrative business. For every bot mitigation solution implemented, there are bot developers across the world working on ways to circumvent it.

It’s a cat-and-mouse game. Which means there’s no silver bullet tool that’ll keep every bot off your site. Even if there was, bot developers would work tirelessly to find a workaround. That’s why just 15% of companies report their anti-bot solution retained efficacy a year after its initial deployment. The target is constantly moving for retailers.

The key to preventing bad bots is that the more layers of protection used, the less bots can slip through the cracks.

If you have four layers of bot protection that remove 50% of bots at each stage, 10,000 bots become 5,000, then 2,500, then 1,250, then 625. In this scenario, the multi-layered approach removes 93.75% of bots, even with solutions that only manage to block 50% of bots each. 

 

1. Monitor & identify bot traffic

As the saying goes, if you can’t measure it, you can’t improve it. If you don’t have tools in place to monitor and identify bot traffic, you’ll never be able to stop it.

Sometimes even basic information like browser version can be enough to identify suspicious traffic.

Once scripts are made, they aren’t always updated with the latest browser version. Human users, on the other hand, are constantly prompted by their computers and phones to update to the latest version. It’s highly unlikely a real shopper is using a 3-year-old browser version, for instance.

It's recommended to show CAPTCHAs to browsers not updated in 2 years, and to flat out block browsers that haven't been updated in three years.

 

CAPTCHA

End of life over 2 years ago

BLOCK

End of life over 3 years ago

Chrome version

< 102

<  90

Firefox version

< 100

< 88

Safari version

< 15.4

< 14.1

Edge version

< 102

< 90

Updated as of May 2025. Release version history is available for Chrome, Firefox, Safari, and Edge.

Professional bot mitigation software gives you advanced insight into bot traffic and allows you to configure custom rules to protect against it. These detection tactics include:

  • Anomaly detection: Detecting and flagging abnormal access patterns, such as low latency, high rate of attempts, or abnormal user journeys.

  • Reputation scores: Automatic scoring of IP addresses based on user behavior, past network activity, and other signals.

  • Blocking known bots & data centers: Maintaining a list of known bots and data centers that are associated with malicious activity.

  • Device fingerprinting: Looking at combinations of hardware, software, browser settings, and more to create a “fingerprint” for each device.

  • Behavioral analysis: Observing how visitors interact with via signals like mouse movements, click patterns, and typing behavior.

  • Repeated requests from single IP: Identifying aggressive IP addresses by tracking rate or volume of requests.

  • Visitor identification: Tying visitors to an “identity signal”, such as a login, promo code, email, or other unique identifier to enforce one session or transaction per visitor.

  • Irregular or outdated user agents: Identifying bots via outdated user agents that are no longer used by regular human visitors.

2. Take action against suspicious traffic

It’s one thing to identify suspicious traffic. It’s another to respond.

Your bot mitigation solutions should let you not only block malicious traffic, but also test suspicious traffic. Common tests include CAPTCHA challenges and Queue-it's Proof-of-Work challenge.

While sophisticated bots today can solve most CAPTCHAs, the challenge mechanism is still useful for quickly and easily blocking simple bots, such as scrapers. Many of our customers still use CAPTCHAs, and we still see sales in 2025 where millions of visitors fail the CAPTCHA challenge.

Queue-it's Proof-of-Work challenge targets bots attacking using volume by using computing power as the limiting factor for bots. It makes every visitors' device complete a computational challenge that's invisible to regular users, but overloads the devices of bot operators who are trying to get hundreds or thousands of spots simultaneously.

For users flagged as bots, you need to tag and mitigate them. Options range from blocking the bots completely, rate-limiting them, or redirecting them to decoy sites. Logging information about these blocked bots can also help prevent future attacks.

3. Control & block bots with a virtual waiting room

A security checkpoint in an airport screens passengers before they can board their flight.

Similarly, a virtual waiting room acts as a checkpoint inserted between a web page on your website and the purchase path.

This security checkpoint slows down and controls traffic, allowing you to run a series of  bot checks on visitors before they hit your site or perform a protected action. It also enables you to prevent load-induced issues like crashes, slowdowns, and overselling by giving you control over the rate at which visitors hit your site or key bottlenecks.

Ticketmaster, for instance, reports blocking over 13 billion bots with the help of Queue-it's virtual waiting room.

Related: Protect Against Bad Bots & Prevent Abuse With a Virtual Waiting Room

By managing your traffic, you'll get full visibility with server-side analytics that helps you detect and act on suspicious traffic. For example, the virtual waiting room can flag aggressive IP addresses trying to take multiple spots in line, or traffic coming from data centers known to be bot havens. These insights can help you close the door on bad bots before they ever reach your website.

Queue-it traffic insights Alerts page

A screenshot of the Alerts page from Queue-it's Traffic Insights analytics tool


4. Leave time for after-sale audits

Some shopping bots will get through even the best bot mitigation strategy. But just because the bot made a purchase doesn’t mean the battle is lost.

If you’re selling limited-inventory products, dedicate resources to review the order confirmations before shipping the products.

This is a strategy used by retailers including Walmart and Very. It can go a long way in bolstering consumer confidence that you’re truly trying to keep releases fair.

Review the orders and ask:

  • Are there multiple orders shipping to the same address?
  • Were several orders made using the same IP address?
  • Was the same credit card used by different customers?
  • Is there social media chatter from customers bragging about how they used bots to buy your product?

Taking a critical eye to the full details of each order increases your chances of identifying illegitimate purchases. 

But the most advanced bot operators work to cover their tracks. They use proxies to obscure IP addresses and tweak shipping addresses—an industry practice known as “address jigging”—to fly under the radar of these checks.

In the TechFirst podcast clip below, Queue-it Co-founder Niels Henrik Sodemann explains to John Koetsier how retailers prevent bots, and how bot developers take advantage of P.O. boxes and rolling credit card numbers to circumvent after-sale audits. 



Why is bot management necessary?

You may be wondering, do shopping bots pose business risks if they result in products selling out? A sale's a sale, right?

This is a question many businesses face. While a one-off product drop or flash sale selling out fast is typically seen as a success, bots pose major risks to several key drivers of ecommerce success.

From harming loyalty to damaging reputation to skewing analytics and spiking ad spend—when you’re selling to bots, a sale’s not just a sale.

 

1. Bots harm customer trust & loyalty

Simply put, genuine shoppers view shopping bots snapping up most or all available product as incredibly unfair. 35% of online businesses report bot attacks result in:

  • Brand or reputational damage
  • Reduction in online conversions
  • More frequent data leaks

Back in the day shoppers waited overnight for Black Friday doorbusters at brick and mortar stores. They understood if products sold out.

There was a cost to getting in line in the wee hours. Sacrificing sleep. Missed time relaxing at home with family. And so on.

Online shopping bots let bot operators hog massive amounts of product with no inconvenience—they just sit at their computer screen and let the grinch bots do their dirty work.

Tweet reading: "At this point something has to be done about the sneaker bots. It's unfair"

In the frustrated customer’s eyes, the fault lies with you as the retailer, not the grinch bot. It’s seen as your failure. Genuine customers feel lied to when you say you didn’t have enough inventory. They believe you don’t have their interests at heart, that you’re not vigilant enough to stop bad bots, or both.

Fairness is one of the most important predictors of loyalty to ecommerce brands. This means if you’re not the sole retailer selling a certain item, shoppers will move to retailers where they feel valued. If you are the sole retailer, shoppers can get so turned off that your brand becomes radioactive—they won’t shop with you again, and they’ll tell their friends and family not to either.

RELATED: Customer Loyalty in Ecommerce: The Surprising Benefits of Fairness

 

2. Bots make you miss connections with genuine customers

When a true customer is buying a PlayStation from a reseller in a parking lot instead of your business, you miss out on so much.

First, you miss a chance to create a connection with a valuable customer. Hyped product launches can be a fantastic way to reward loyal customers and bring new customers into the fold. Shopping bots sever the relationship between your potential customers and your brand.

Second, this ruptured relationship loses you sales in the future. The lifetime value of the grinch bot is not as valuable as a satisfied customer who regularly returns to buy additional products.

Grinch bots are in it to flip a couple select items.

They couldn’t care less about your product bundles.

They won’t evangelize your brand.

And they certainly won’t engage with customer nurture flows that reduce costs needed to acquire new customers.

RELATED: Ecommerce Loyalty Programs: How to Keep Customers Coming Back for More

What’s worse, for flash sales on big days like Black Friday, retailers often sell products below margins to attract new customers and increase brand affinity among existing ones. In these scenarios, getting customers into organic nurture flows is enough for retailers to accept minor losses on products.

But when bots target these margin-negative products, the customer acquisition goals of flash sales go unmet. All you achieve is low-to-negative margin sales without any of the benefits.

Last, you lose purchase activity that forms invaluable business intelligence. Resellers get data on who the actual buyers are, not you. This leaves no chance for upselling and tailored marketing reach outs.

If you’re thinking, “Well, as long as someone buys my products, it’s not my problem what they do with them,” then you’re missing the crucial point of customer experience optimization: it’s not about how much product is purchased, it’s about how many customers you can give a great experience.

Retailers are at their most visible during hyped product drops and flash sales, and if all your products are out-of-stock and listed elsewhere by resellers, you lose a key opportunity to give a great brand experience to thousands of customers. They’ll be dismayed and seek products from competitors.

 

3. Bots jeopardize business contracts

In the ticketing world, many artists require ticketing companies to use strong bot mitigation. If the ticketing company doesn’t, they simply won’t get the contract.

The retail world is starting to see similar trends. For example, graphics card producer AMD sent a letter to all its retailers saying they “strongly recommend” the retailers take the following steps:

  • Bot detection and management
  • CAPTCHA implementation
  • Purchase limits
  • Reservations
  • Manual order processing
  • Limit reseller sales (B2B)
  • Inventory-to-Cart allocation

What is now a strong recommendation could easily become a contractual obligation if the AMD graphics cards continue to be snapped up by bots. Retailers that don’t take serious steps to mitigate bots and abuse risk forfeiting their rights to sell hyped products.

 

4. Bots increase operational & support costs

Immediate sellouts will lead to higher support tickets and customer complaints on social media. This means more work for your customer service and marketing teams.

Research estimates 75% to 80% of ecommerce operational costs are negatively impacted by malicious bots. These include:

  • Website infrastructure costs
  • Advertising and marketing expenditure
  • Customer support costs
  • Checkout fraud costs

In another survey, 33% of online businesses said bot attacks resulted in increased infrastructure costs. While 32% said bots increase operational and logistical bottlenecks.

Plus, if a bot attack slows or crashes your site, the burden on your teams and revenue will be even worse.


RELATED: The Cost of Downtime: IT Outages, Brownouts & Your Bottom Line

5. Bots create faulty analytics for decision-making

Bots can skew your data on several fronts, clouding up the reporting you need to make informed business decisions.

The fake accounts that bots generate en masse can give a false impression of your true customer base. Since some services like customer management or email marketing systems charge based on account volumes, this could also create additional costs.

Denial of inventory bots can wreak havoc on your cart abandonment metrics, as they dump product not bought on the secondary market.

Marketing spend and digital operations are just two of the many areas harmed by shopping bots.

 

6. Bots crash & slow down websites

By their nature, shopping bots use volume to their advantage. So it’s not difficult to see how they overwhelm web application infrastructure, leading to site crashes and slowdowns.

45% of online businesses said bot attacks resulted in more website and IT crashes.

To get a sense of scale, consider data from Akamai that found one botnet sent more than 473 million requests to visit a website during a single sneaker release.

Or think about a stat from GameStop’s former director of international ecommerce. “At times, more than 60% of our traffic - across hundreds of millions of visitors a day - was bots or scrapers,” he told the BBC. With recent hyped releases of the PlayStation 5, there’s reason to believe this was even higher.

When Walmart.com released the PlayStation 5 on Black Friday, the company says it blocked more than 20 million bot attempts in the sale’s first 30 minutes. Every time the retailer updated the stock, so many bots hit that the website of America’s largest retailer crashed several times throughout the day. 

Bots will even take a website offline on purpose, just to create chaos so they can slip through undetected when the website comes back online.

Whether an intentional DDoS attack or a byproduct of massive bot traffic, website crashes and slowdowns are terrible for any retailer. They lose you sales, shake the trust of your customers, and expose your systems to security breaches.

Related: Prevent Website Crashes From Bot Traffic With a Virtual Waiting Room

Summary: Ecommerce bot protection

Shopping bots are becoming more sophisticated, easier to access, and are costing retailers more money with each passing year.

The brands that’ve struggled with bots for years, such as Nike, Sony, Amazon, and Walmart, know the threat of bots and are working hard to protect against them. But it’s no longer just big electronic and sneaker retailers that are facing bots. Bot traffic is growing across ecommerce and is impacting small and large websites alike.

To summarize the key points you need to know about online shopping bots:

  • Shopping bots are software designed to give users an unfair advantage while shopping online.

  • They scan websites and execute lightning-fast purchases in massive volumes to clear out stock for resale on secondary markets.

  • Retail bots come in all shapes and sizes, from scraping bots to account creation bots to denial of inventory bots.

  • Ecommerce bots target sales and product drops where they know they can resell products for profit, such as sneaker, graphics card, and gaming console releases.

  • You can identify a bot problem by digging through your analytics and identifying abnormal behavior, or by using bot mitigation software. 

  • Bots tarnish brand image, sever connections with valuable customers, crash websites, jeopardize business contracts, increase support costs, and muddle analytics crucial to decision making.

  • You need a suite of bot mitigation tactics to stay on top of your bot problem, from CAPTCHAs to web traffic management to post-sale audits.

While there's no one-and-done solution to prevent every bot every time, there are many tools available to protect your ecommerce site from bots and the problems they bring with them. It's important you evaluate your bot problem and take action, because as brands from Nike to Amazon to Sony to Foot Locker recognize, the fight against bots is a fight for your customers.

(This blog has been updated since it was written in 2021.)

Discover 10 ways to stop bad bots with your free retail bots guide